Government Computer News's article, "
How to read signs of safe software," discusses the DHS-DOD Software Assurance Forum meeting that was held on March 8 & 9. The article discusses two metrics from Microsoft, one of which is the Relative Attack Surface Quotient, or
RASQ. For details about RASQ, see "
Measuring Relative Attack Surfaces" by
Jeannette Wing (a member of
TRUST.)
The other Microsoft security metric:
"... informally known as the “vulnerability coverage method,” assumes the existence of an “outside community of researchers providing a stream of vulnerability reports on new versions of Microsoft products,” Lipner said. This external research community is a “euphemism for vulnerability finders that either report or exploit” vulnerabilities.
A Microsoft team analyzes each vulnerability reported and determines whether it has been removed from the product version under development and, if not, whether it ought to be, based on the risk it presents."